Fabio Ros

Finding Magento malware burner domains

Recently I came across another Magento CC malware case. At first, it seemed like an ordinary instance which I have seen plenty of times before. However, only this time it led me towards a large amount of burner domains. All 25 domains were either seeding the malware, or were collecting the data that was returned by the obfuscated JavaScript injected in their stores.

At last I thought, finally I have something to share which will put my blog to good use!

Out of the 25 domains names, 6 were already listed in the list of burner domains. Which you can find here at the magento-malware-scanner

In addition, you will find the list of other domain names embedded below this post or at my gist

Characteristics

Most of the domain names are defined in a way that will most likely trick an developer into believing that it is legitimate, for example:

optimizly.info

bralntree.com

The domains I found could be split into two main categories, each with their own characteristics.

Malware seeding domains

The domains that are seeding are responsible for the distribution of malware. In my case, the injected JavaScript was named after the store.

E.g. somebrandshop.js (burner-domain.com/ext/somebrandshop.js)

If you’re dealing with large Enterprise cases, which can contain dozens of external scripts, you will most likely miss one. These domains have a mechanism in place that internally redirects anything that goes on in /ext/ to the same JavaScript file. With such a wide range of domains, it could be injected to appear legitimate, but it isn’t.

Data collecting domains

The data collecting domains are a shot in the dark, but there are sufficient reasons to believe they are collecting the data. All the collecting domains have a script at “/checkPayments.php” which returns a status 200 error code while other pages return a Nginx notice.

Using reverse WHOIS to find more of them

Finding these domains was straightforward because they all were registered by the same and most likely fake alias. By using reverse WHOIS, you’ll get a list with all the registered domains under this alias. These domains have all been registered in the past couple of months or were defined in ways as described before and either matched the characteristics as a seeder, or as a collector.

The most difficult part was finding a free reverse WHOIS service as they usually require you to pay somewhere between 25 to 100 dollars for a full report. I found my free report at Whoxy, which I can recommend. When you come across another burner domain; then I suggest you use a reverse WHOIS service like this one to find more and add them to the magento-malware-scanner.